I should add that bug 1839037 is a bug in the subset test introduced in kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will properly transition some won't it all depends on what is in the stack being transitioned. The patch fixes it so the all transitions combinations pass correctly. The patch actual allows more transitions under nnp than when it is not applied. The bug does not exist in the 4.17 or later kernel version.
The 5.0 HWE kernel never had the bug addressed in bug 1839037, and did not receive the patch. The DENY messages above indicate that this is a case of a cross policy namespace check, I am investigating if cross namespace checks are broken. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware 1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
